Yet Another File Integrity Checker

This utility is the youngest of the file integrity utilities, so the
documentation is quite lean. Your choices are man yafic, man
yafic.conf, and sourceforge.net/projects/yafic/.

This utility is similar to aide in that you should keep the
database on a floppy, as it will not be signed. Again, a sample configuration
file is created for you: /usr/local/share/examples/yafic/yafic.conf.sample.

Copy and rename that file so it doesn't have the sample extension. Here,
I've copied it to root's home directory:

Okay, it wants one of three options. From man yafic, those
three options do the following:

-c checks the database.

-u updates the database (or initializes a new database).

-l lists entries in the database.

So, I'll mount a floppy and try again:

$ mount -t msdos /dev/fd0 /mnt
$ yafic -u yafic.db

When using yafic, make sure you are in the directory
containing yafic.conf and that you specify the name of the database you
wish to create or check.

Once you've created the initial database, unmount the floppy and remove it
from the floppy drive. Whenever you want to check the database, remount the
floppy, cd to the directory containing yafic.conf,
and use the -c (check) switch:

$ yafic -c yafic.db

Again, any changes will be displayed to your screen. If you prefer to read
the changes at a slower pace, redirect the output to a file:

$ yafic -c yafic.db > changes
$ more changes

Once you've resolved your changes, use the -u switch to update
the database. Don't forget to unmount the floppy and remove it from the floppy
drive when you are finished.

File Integrity Utilities Summary

You've probably noticed that all of these file integrity utilities follow the same
routine:

Initialize a database.

Check the database.

Update resolved changes into the original database.

Repeat on a regular basis.

Ultimately, since it is you who will have to follow the routine, choose the
utility whose switches and configuration file make the most sense to you. I
encourage you to try all three utilities and choose the one that most fits your
personality.

DDoS Testing Utilities

As promised, I also want to take a look at DDoS testing utilities. If
you've never been to Dave
Dittrich's page, you're in for a treat. This is a definitely bookmarkable
site with tons of valuable information, and is the resource
for DDoS information on the Internet. His actual DDoS page is staff.washington.edu/dittrich/misc/ddos/.

If you're unfamilar with the term DDoS, it stands for Distributed Denial of
Service. Basically, this type of attack looks for vulnerable hosts. Once a
host is infected, it will in turn look for other vulnerable hosts to infect.
Once enough hosts are infected (potentially hundreds of thousands), they are
used to launch a collective attack against a target. For example, you may
remember hearing about the DDoS attack against the root DNS servers.

Several utilities in the ports collection can determine if your FreeBSD
computer or the computers in your network have been infected by a DDoS agent.
The three most common Unix DDoS agents and the types of packets they use are:

trinoo

UDP 27444, UDP 27665

tfn

uses ICMP

stacheldraht

TCP 16660, TCP 65000, ICMP

For details on each DDoS agent, see David Dittrich's DDoS page.

Let's start with ddos_scan, the utility created by Dittrich:

$ cd /usr/ports/security/ddos_scan
$ make install clean

This will install an executable at /usr/local/sbin/dds and
a file at /usr/local/share/doc/ddos_scan/README. The file
contains a lot of useful information regarding DDoS, and I highly recommend that
you take the time to read it.

This utility is designed to scan an entire network, looking for infected
hosts. Its syntax is:

$ dds A.B.C.D/mask

For example, if your network has a network ID of 192.168.10,
specify your network and mask as follows:

$ dds 192.168.10.0/24

If you only want to scan your own machine, simply give the IP address with
no mask:

$ dds 192.168.10.1

When running this utility, it's good to receive no output. That means the
utility didn't find any infected hosts. The README file shows
examples of what the output will be and what to do about it, if an infected
host is found.

This is a good utility to run as a cron job. If you're new to
cron, check out "Getting
cron to Do Our Bidding." Remember to give the full path to
dds in your crontab entry.

The NIPC (National Infrastructure Protection Center) has released a similar
utility. At the moment, their web site is at www.nipc.gov, but that will slowly transition to www.dhs.gov. This
utility was designed to scan only the local machine for DDoS agents, so it is
suitable if you only have one FreeBSD computer. To build this port:

$ cd /usr/ports/security/find_ddos
$ make install clean

It will install an executable at /usr/local/sbin/find_ddos
and a document at /usr/local/share/doc/find_ddos/README.

To run this utility, simply type:

$ find_ddos
Running with the following default options:
find_ddos -g files -l LOG -p /tmp /
This material and tool is furnished on an "as is" basis. There are no
warranties of any kind, either expressed or implied as to any matter
including, but not limited to, warranty of fitness for a particular purpose
or merchantability, exclusivity or results obtained from use of the
material. There is no warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
If the program "find_ddos" generates a log file revealing unlawful access
of a tested system, system administrators are encouraged to contact their
local FBI field office or the NIPC.
Please review the README file before continuing.
Do you accept these terms? yes
In the future, you can run this tool with the "-y" option from the
command line to acknowledge these terms
Logging output to: LOG
WARNING: Unable to scan running processes.
This will happen if the /proc directory is not a procfs.
Scanning "/tmp"...
Scanning "/"...
No DDOS tools found.

Editor's Note: Astute reader Erik Johansson pointed out that
find_ddos could in fact be run from cron, contrary to what the
original article stated. Dru suggested the following revision.

The output of this utility clearly indicates whether or not a DDoS agent
was found. Note that if you want to include this check in a cron job, you'll
need to include the y switch to indicate acceptance of the
license. However, if you just try this:

% /usr/local/sbin/find_ddos -y

you'll receive this error:

Usage: find_ddos [-g grabdir] [-l logfile] [-p] [-v] [-V]
[-x exclude1] directory
If no parameters are given, the following defaults are used:
find_ddos -g files -l LOG -p /tmp /
If any parameters are given, the defaults are not used. In that
case, you must specify a directory to scan, or you can just use '-p' to
scan memory only.

This will work and will scan memory, /tmp, and /:

% /usr/local/sbin/find_ddos -y -g files -l LOG -p /tmp /

Cleaning a DDoS Agent

The final utility I'd like to cover is meant to be used if you find a DDoS
agent running on your network:

$ cd /usr/ports/security/zombiezapper
make install clean

The install will create an executable at /usr/local/bin/zz
and a directory, /usr/local/share/doc/zz/, containing the
files USAGE and tekpaper.txt. USAGE
gives detailed instructions on how to use the utility. Read it if you are ever
unfortunate enough to have infected computers in your network.

In addition to trinoo, tfn, and stacheldraht, zz recognizes
trinoo for Windows and shaft. It works over a network and was designed to stop
infected machines from continuing to flood the network.

It is important to realize that all three DDoS tools are only effective as
long as the attacker has not changed the default ports used by the DDoS
attacks.

In the next series of articles, I'd like to take a look at how DHCP works
and how to set up a DHCP server using a FreeBSD computer.

Dru Lavigne
is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.